Malware Analysis Report

2024-10-19 02:35

Sample ID 220306-14fx2ahdbn
Target a0a99841ac66d40954d49f6f276234a122d0454f9ce7a059c6d471d38f06a05d
SHA256 a0a99841ac66d40954d49f6f276234a122d0454f9ce7a059c6d471d38f06a05d
Tags
amadey taurus discovery evasion spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a0a99841ac66d40954d49f6f276234a122d0454f9ce7a059c6d471d38f06a05d

Threat Level: Known bad

The file a0a99841ac66d40954d49f6f276234a122d0454f9ce7a059c6d471d38f06a05d was found to be: Known bad.

Malicious Activity Summary

amadey taurus discovery evasion spyware stealer trojan

Taurus Stealer Payload

Amadey

Taurus Stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Executes dropped EXE

Reads user/profile data of web browsers

Identifies Wine through registry keys

Drops startup file

Loads dropped DLL

Checks computer location settings

Checks BIOS information in registry

Checks installed software on the system

Accesses 2FA software files, possible credential harvesting

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

NSIS installer

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: AddClipboardFormatListener

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-03-06 22:12

Signatures

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-03-06 22:12

Reported

2022-03-06 22:14

Platform

win7-en-20211208

Max time kernel

149s

Max time network

167s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a0a99841ac66d40954d49f6f276234a122d0454f9ce7a059c6d471d38f06a05d.exe"

Signatures

Amadey

trojan amadey

Taurus Stealer

trojan stealer taurus

Taurus Stealer Payload

Description Indicator Process Target
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\Software\Permit_17.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\Software\Bid_19.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\97fd00311d\bween.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\97fd00311d\bween.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\Realtek Sound Blaster\RealtekSb.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\Puddle\Arch_40.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\Puddle\Arch_40.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\Software\Permit_17.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\Software\Bid_19.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\Realtek Sound Blaster\RealtekSb.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RealtekSb.lnk C:\Users\Admin\AppData\Roaming\Puddle\Arch_40.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Wine C:\Users\Admin\AppData\Roaming\Puddle\Arch_40.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Wine C:\Users\Admin\AppData\Roaming\Software\Permit_17.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Wine C:\Users\Admin\AppData\Roaming\Software\Bid_19.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Wine C:\ProgramData\97fd00311d\bween.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2329389628-4064185017-3901522362-1000\Software\Wine C:\Users\Admin\AppData\Roaming\Realtek Sound Blaster\RealtekSb.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses 2FA software files, possible credential harvesting

spyware stealer

Checks installed software on the system

discovery

Enumerates physical storage devices

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Realtek Sound Blaster\RealtekSb.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1560 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\a0a99841ac66d40954d49f6f276234a122d0454f9ce7a059c6d471d38f06a05d.exe C:\Users\Admin\AppData\Roaming\Puddle\Arch_40.exe
PID 1560 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\a0a99841ac66d40954d49f6f276234a122d0454f9ce7a059c6d471d38f06a05d.exe C:\Users\Admin\AppData\Roaming\Puddle\Arch_40.exe
PID 1560 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\a0a99841ac66d40954d49f6f276234a122d0454f9ce7a059c6d471d38f06a05d.exe C:\Users\Admin\AppData\Roaming\Puddle\Arch_40.exe
PID 1560 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\a0a99841ac66d40954d49f6f276234a122d0454f9ce7a059c6d471d38f06a05d.exe C:\Users\Admin\AppData\Roaming\Puddle\Arch_40.exe
PID 1560 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\a0a99841ac66d40954d49f6f276234a122d0454f9ce7a059c6d471d38f06a05d.exe C:\Users\Admin\AppData\Roaming\Puddle\Arch_40.exe
PID 1560 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\a0a99841ac66d40954d49f6f276234a122d0454f9ce7a059c6d471d38f06a05d.exe C:\Users\Admin\AppData\Roaming\Puddle\Arch_40.exe
PID 1560 wrote to memory of 860 N/A C:\Users\Admin\AppData\Local\Temp\a0a99841ac66d40954d49f6f276234a122d0454f9ce7a059c6d471d38f06a05d.exe C:\Users\Admin\AppData\Roaming\Puddle\Arch_40.exe
PID 1560 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\a0a99841ac66d40954d49f6f276234a122d0454f9ce7a059c6d471d38f06a05d.exe C:\Users\Admin\AppData\Roaming\Software\Permit_17.exe
PID 1560 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\a0a99841ac66d40954d49f6f276234a122d0454f9ce7a059c6d471d38f06a05d.exe C:\Users\Admin\AppData\Roaming\Software\Permit_17.exe
PID 1560 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\a0a99841ac66d40954d49f6f276234a122d0454f9ce7a059c6d471d38f06a05d.exe C:\Users\Admin\AppData\Roaming\Software\Permit_17.exe
PID 1560 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\a0a99841ac66d40954d49f6f276234a122d0454f9ce7a059c6d471d38f06a05d.exe C:\Users\Admin\AppData\Roaming\Software\Permit_17.exe
PID 1560 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\a0a99841ac66d40954d49f6f276234a122d0454f9ce7a059c6d471d38f06a05d.exe C:\Users\Admin\AppData\Roaming\Software\Permit_17.exe
PID 1560 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\a0a99841ac66d40954d49f6f276234a122d0454f9ce7a059c6d471d38f06a05d.exe C:\Users\Admin\AppData\Roaming\Software\Permit_17.exe
PID 1560 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\a0a99841ac66d40954d49f6f276234a122d0454f9ce7a059c6d471d38f06a05d.exe C:\Users\Admin\AppData\Roaming\Software\Permit_17.exe
PID 1560 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\a0a99841ac66d40954d49f6f276234a122d0454f9ce7a059c6d471d38f06a05d.exe C:\Users\Admin\AppData\Roaming\Software\Bid_19.exe
PID 1560 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\a0a99841ac66d40954d49f6f276234a122d0454f9ce7a059c6d471d38f06a05d.exe C:\Users\Admin\AppData\Roaming\Software\Bid_19.exe
PID 1560 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\a0a99841ac66d40954d49f6f276234a122d0454f9ce7a059c6d471d38f06a05d.exe C:\Users\Admin\AppData\Roaming\Software\Bid_19.exe
PID 1560 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\a0a99841ac66d40954d49f6f276234a122d0454f9ce7a059c6d471d38f06a05d.exe C:\Users\Admin\AppData\Roaming\Software\Bid_19.exe
PID 1560 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\a0a99841ac66d40954d49f6f276234a122d0454f9ce7a059c6d471d38f06a05d.exe C:\Users\Admin\AppData\Roaming\Software\Bid_19.exe
PID 1560 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\a0a99841ac66d40954d49f6f276234a122d0454f9ce7a059c6d471d38f06a05d.exe C:\Users\Admin\AppData\Roaming\Software\Bid_19.exe
PID 1560 wrote to memory of 1392 N/A C:\Users\Admin\AppData\Local\Temp\a0a99841ac66d40954d49f6f276234a122d0454f9ce7a059c6d471d38f06a05d.exe C:\Users\Admin\AppData\Roaming\Software\Bid_19.exe
PID 1248 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Roaming\Software\Permit_17.exe C:\ProgramData\97fd00311d\bween.exe
PID 1248 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Roaming\Software\Permit_17.exe C:\ProgramData\97fd00311d\bween.exe
PID 1248 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Roaming\Software\Permit_17.exe C:\ProgramData\97fd00311d\bween.exe
PID 1248 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Roaming\Software\Permit_17.exe C:\ProgramData\97fd00311d\bween.exe
PID 1248 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Roaming\Software\Permit_17.exe C:\ProgramData\97fd00311d\bween.exe
PID 1248 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Roaming\Software\Permit_17.exe C:\ProgramData\97fd00311d\bween.exe
PID 1248 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Roaming\Software\Permit_17.exe C:\ProgramData\97fd00311d\bween.exe
PID 860 wrote to memory of 864 N/A C:\Users\Admin\AppData\Roaming\Puddle\Arch_40.exe C:\Users\Admin\AppData\Roaming\Realtek Sound Blaster\RealtekSb.exe
PID 860 wrote to memory of 864 N/A C:\Users\Admin\AppData\Roaming\Puddle\Arch_40.exe C:\Users\Admin\AppData\Roaming\Realtek Sound Blaster\RealtekSb.exe
PID 860 wrote to memory of 864 N/A C:\Users\Admin\AppData\Roaming\Puddle\Arch_40.exe C:\Users\Admin\AppData\Roaming\Realtek Sound Blaster\RealtekSb.exe
PID 860 wrote to memory of 864 N/A C:\Users\Admin\AppData\Roaming\Puddle\Arch_40.exe C:\Users\Admin\AppData\Roaming\Realtek Sound Blaster\RealtekSb.exe
PID 860 wrote to memory of 864 N/A C:\Users\Admin\AppData\Roaming\Puddle\Arch_40.exe C:\Users\Admin\AppData\Roaming\Realtek Sound Blaster\RealtekSb.exe
PID 860 wrote to memory of 864 N/A C:\Users\Admin\AppData\Roaming\Puddle\Arch_40.exe C:\Users\Admin\AppData\Roaming\Realtek Sound Blaster\RealtekSb.exe
PID 860 wrote to memory of 864 N/A C:\Users\Admin\AppData\Roaming\Puddle\Arch_40.exe C:\Users\Admin\AppData\Roaming\Realtek Sound Blaster\RealtekSb.exe
PID 1988 wrote to memory of 1964 N/A C:\ProgramData\97fd00311d\bween.exe C:\Windows\SysWOW64\cmd.exe
PID 1988 wrote to memory of 1964 N/A C:\ProgramData\97fd00311d\bween.exe C:\Windows\SysWOW64\cmd.exe
PID 1988 wrote to memory of 1964 N/A C:\ProgramData\97fd00311d\bween.exe C:\Windows\SysWOW64\cmd.exe
PID 1988 wrote to memory of 1964 N/A C:\ProgramData\97fd00311d\bween.exe C:\Windows\SysWOW64\cmd.exe
PID 1964 wrote to memory of 1992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1964 wrote to memory of 1992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1964 wrote to memory of 1992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1964 wrote to memory of 1992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a0a99841ac66d40954d49f6f276234a122d0454f9ce7a059c6d471d38f06a05d.exe

"C:\Users\Admin\AppData\Local\Temp\a0a99841ac66d40954d49f6f276234a122d0454f9ce7a059c6d471d38f06a05d.exe"

C:\Users\Admin\AppData\Roaming\Puddle\Arch_40.exe

"C:\Users\Admin\AppData\Roaming\Puddle\Arch_40.exe"

C:\Users\Admin\AppData\Roaming\Software\Permit_17.exe

"C:\Users\Admin\AppData\Roaming\Software\Permit_17.exe"

C:\Users\Admin\AppData\Roaming\Software\Bid_19.exe

"C:\Users\Admin\AppData\Roaming\Software\Bid_19.exe"

C:\ProgramData\97fd00311d\bween.exe

"C:\ProgramData\97fd00311d\bween.exe"

C:\Users\Admin\AppData\Roaming\Realtek Sound Blaster\RealtekSb.exe

"C:\Users\Admin\AppData\Roaming\Realtek Sound Blaster\RealtekSb.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\97fd00311d\

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\97fd00311d\

Network

Country Destination Domain Proto
RU 217.8.117.207:80 tcp
RU 217.8.117.207:80 tcp
NL 185.92.148.230:80 tcp
RU 217.8.117.207:80 tcp
RU 217.8.117.207:80 tcp
RU 217.8.117.207:80 tcp
RU 217.8.117.207:80 tcp
NL 185.92.148.230:80 tcp
RU 217.8.117.207:80 tcp
RU 217.8.117.207:80 tcp
NL 185.92.148.230:80 tcp
NL 185.92.148.230:80 tcp
NL 185.92.148.230:80 tcp

Files

memory/1560-55-0x0000000075D61000-0x0000000075D63000-memory.dmp

\Users\Admin\AppData\Local\Temp\nsd389F.tmp\System.dll

MD5 0063d48afe5a0cdc02833145667b6641
SHA1 e7eb614805d183ecb1127c62decb1a6be1b4f7a8
SHA256 ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7
SHA512 71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0

\Users\Admin\AppData\Roaming\Puddle\Arch_40.exe

MD5 22f31f5dee32cb8ac454a216b9226a60
SHA1 a716176ff41859483dce502a76dbe5d0f6961854
SHA256 c00cbde3ad305db237d46608963a7ea9300f52caa95236df92e67a1b96fabdd1
SHA512 16fd60437d6e17528051a1564526fa7f816575b4036862c98831e9b1bd5e9fce57fb71ab17a211de69bf24cf1d03079313e8a84a9d3a143969607c666f28ca4e

C:\Users\Admin\AppData\Roaming\Puddle\Arch_40.exe

MD5 22f31f5dee32cb8ac454a216b9226a60
SHA1 a716176ff41859483dce502a76dbe5d0f6961854
SHA256 c00cbde3ad305db237d46608963a7ea9300f52caa95236df92e67a1b96fabdd1
SHA512 16fd60437d6e17528051a1564526fa7f816575b4036862c98831e9b1bd5e9fce57fb71ab17a211de69bf24cf1d03079313e8a84a9d3a143969607c666f28ca4e

C:\Users\Admin\AppData\Roaming\Software\Permit_17.exe

MD5 77726cbf962c895ed94737fb5d1999cd
SHA1 f69fea46fd0bed8b452cac3923664bca749e78c3
SHA256 f79ace00ab34680537542a53d04135231daed2320e832c5702392f1a69f92e99
SHA512 51072de276ad97d0269e97e0b6296d556a18dd78e39ac51384a2758a03dcb1203bd10eb678905b6a33551e539b43287b89b1b2cd7fdf6e79b2177c9b31af6979

\Users\Admin\AppData\Roaming\Software\Permit_17.exe

MD5 77726cbf962c895ed94737fb5d1999cd
SHA1 f69fea46fd0bed8b452cac3923664bca749e78c3
SHA256 f79ace00ab34680537542a53d04135231daed2320e832c5702392f1a69f92e99
SHA512 51072de276ad97d0269e97e0b6296d556a18dd78e39ac51384a2758a03dcb1203bd10eb678905b6a33551e539b43287b89b1b2cd7fdf6e79b2177c9b31af6979

\Users\Admin\AppData\Roaming\Software\Bid_19.exe

MD5 4868ef1ed1eeccf63f09c2407c438b2f
SHA1 f40fb4d4506bf9f155e1cc1b0990c65435137a86
SHA256 cbafc5f1a4c6b911fc9e93899a7250f45f99f7af4525bc8541c4ac158b20c010
SHA512 2705bae0ae86ced5684b25fdcba0aec731ba3a9d3fac0ab49563176751d355525c9c5e5e9c082fd77155ec6ac42c8e3e1fc8d6bad418d762b1e19fe0abe4d9a5

C:\Users\Admin\AppData\Roaming\Software\Bid_19.exe

MD5 4868ef1ed1eeccf63f09c2407c438b2f
SHA1 f40fb4d4506bf9f155e1cc1b0990c65435137a86
SHA256 cbafc5f1a4c6b911fc9e93899a7250f45f99f7af4525bc8541c4ac158b20c010
SHA512 2705bae0ae86ced5684b25fdcba0aec731ba3a9d3fac0ab49563176751d355525c9c5e5e9c082fd77155ec6ac42c8e3e1fc8d6bad418d762b1e19fe0abe4d9a5

C:\Users\Admin\AppData\Roaming\Software\Bid_19.exe

MD5 4868ef1ed1eeccf63f09c2407c438b2f
SHA1 f40fb4d4506bf9f155e1cc1b0990c65435137a86
SHA256 cbafc5f1a4c6b911fc9e93899a7250f45f99f7af4525bc8541c4ac158b20c010
SHA512 2705bae0ae86ced5684b25fdcba0aec731ba3a9d3fac0ab49563176751d355525c9c5e5e9c082fd77155ec6ac42c8e3e1fc8d6bad418d762b1e19fe0abe4d9a5

memory/860-66-0x0000000076F30000-0x00000000770B0000-memory.dmp

\Users\Admin\AppData\Roaming\Software\Bid_19.exe

MD5 4868ef1ed1eeccf63f09c2407c438b2f
SHA1 f40fb4d4506bf9f155e1cc1b0990c65435137a86
SHA256 cbafc5f1a4c6b911fc9e93899a7250f45f99f7af4525bc8541c4ac158b20c010
SHA512 2705bae0ae86ced5684b25fdcba0aec731ba3a9d3fac0ab49563176751d355525c9c5e5e9c082fd77155ec6ac42c8e3e1fc8d6bad418d762b1e19fe0abe4d9a5

memory/1248-70-0x0000000076F30000-0x00000000770B0000-memory.dmp

\Users\Admin\AppData\Roaming\Software\Bid_19.exe

MD5 4868ef1ed1eeccf63f09c2407c438b2f
SHA1 f40fb4d4506bf9f155e1cc1b0990c65435137a86
SHA256 cbafc5f1a4c6b911fc9e93899a7250f45f99f7af4525bc8541c4ac158b20c010
SHA512 2705bae0ae86ced5684b25fdcba0aec731ba3a9d3fac0ab49563176751d355525c9c5e5e9c082fd77155ec6ac42c8e3e1fc8d6bad418d762b1e19fe0abe4d9a5

C:\Users\Admin\AppData\Roaming\Puddle\Arch_40.exe

MD5 22f31f5dee32cb8ac454a216b9226a60
SHA1 a716176ff41859483dce502a76dbe5d0f6961854
SHA256 c00cbde3ad305db237d46608963a7ea9300f52caa95236df92e67a1b96fabdd1
SHA512 16fd60437d6e17528051a1564526fa7f816575b4036862c98831e9b1bd5e9fce57fb71ab17a211de69bf24cf1d03079313e8a84a9d3a143969607c666f28ca4e

\Users\Admin\AppData\Roaming\Software\Bid_19.exe

MD5 4868ef1ed1eeccf63f09c2407c438b2f
SHA1 f40fb4d4506bf9f155e1cc1b0990c65435137a86
SHA256 cbafc5f1a4c6b911fc9e93899a7250f45f99f7af4525bc8541c4ac158b20c010
SHA512 2705bae0ae86ced5684b25fdcba0aec731ba3a9d3fac0ab49563176751d355525c9c5e5e9c082fd77155ec6ac42c8e3e1fc8d6bad418d762b1e19fe0abe4d9a5

memory/860-73-0x00000000001C0000-0x0000000000B5B000-memory.dmp

memory/1248-75-0x0000000000370000-0x0000000000371000-memory.dmp

memory/1248-74-0x0000000000E10000-0x0000000001495000-memory.dmp

memory/860-76-0x0000000000D40000-0x0000000000D41000-memory.dmp

memory/860-77-0x0000000000D70000-0x0000000000D71000-memory.dmp

memory/860-80-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

memory/860-81-0x0000000000D30000-0x0000000000D31000-memory.dmp

memory/860-79-0x0000000000D80000-0x0000000000D81000-memory.dmp

C:\Users\Admin\AppData\Roaming\Software\Permit_17.exe

MD5 77726cbf962c895ed94737fb5d1999cd
SHA1 f69fea46fd0bed8b452cac3923664bca749e78c3
SHA256 f79ace00ab34680537542a53d04135231daed2320e832c5702392f1a69f92e99
SHA512 51072de276ad97d0269e97e0b6296d556a18dd78e39ac51384a2758a03dcb1203bd10eb678905b6a33551e539b43287b89b1b2cd7fdf6e79b2177c9b31af6979

memory/860-82-0x0000000000D00000-0x0000000000D01000-memory.dmp

memory/860-83-0x0000000000D90000-0x0000000000D91000-memory.dmp

memory/860-84-0x0000000000CD0000-0x0000000000CD1000-memory.dmp

memory/1248-85-0x00000000003A0000-0x00000000003A1000-memory.dmp

memory/1248-86-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/1248-87-0x00000000003D0000-0x00000000003D1000-memory.dmp

memory/1248-88-0x0000000000240000-0x0000000000241000-memory.dmp

memory/1248-89-0x0000000000230000-0x0000000000231000-memory.dmp

memory/1248-90-0x0000000000250000-0x0000000000251000-memory.dmp

memory/1248-91-0x00000000003B0000-0x00000000003B1000-memory.dmp

memory/1248-92-0x0000000000470000-0x0000000000471000-memory.dmp

memory/1248-93-0x0000000000390000-0x0000000000391000-memory.dmp

memory/1248-94-0x0000000000380000-0x0000000000381000-memory.dmp

memory/1248-96-0x0000000000480000-0x0000000000481000-memory.dmp

memory/1248-95-0x0000000000260000-0x0000000000261000-memory.dmp

\Users\Admin\AppData\Roaming\Realtek Sound Blaster\RealtekSb.exe

MD5 22f31f5dee32cb8ac454a216b9226a60
SHA1 a716176ff41859483dce502a76dbe5d0f6961854
SHA256 c00cbde3ad305db237d46608963a7ea9300f52caa95236df92e67a1b96fabdd1
SHA512 16fd60437d6e17528051a1564526fa7f816575b4036862c98831e9b1bd5e9fce57fb71ab17a211de69bf24cf1d03079313e8a84a9d3a143969607c666f28ca4e

C:\ProgramData\97fd00311d\bween.exe

MD5 77726cbf962c895ed94737fb5d1999cd
SHA1 f69fea46fd0bed8b452cac3923664bca749e78c3
SHA256 f79ace00ab34680537542a53d04135231daed2320e832c5702392f1a69f92e99
SHA512 51072de276ad97d0269e97e0b6296d556a18dd78e39ac51384a2758a03dcb1203bd10eb678905b6a33551e539b43287b89b1b2cd7fdf6e79b2177c9b31af6979

\ProgramData\97fd00311d\bween.exe

MD5 77726cbf962c895ed94737fb5d1999cd
SHA1 f69fea46fd0bed8b452cac3923664bca749e78c3
SHA256 f79ace00ab34680537542a53d04135231daed2320e832c5702392f1a69f92e99
SHA512 51072de276ad97d0269e97e0b6296d556a18dd78e39ac51384a2758a03dcb1203bd10eb678905b6a33551e539b43287b89b1b2cd7fdf6e79b2177c9b31af6979

\Users\Admin\AppData\Roaming\Realtek Sound Blaster\RealtekSb.exe

MD5 22f31f5dee32cb8ac454a216b9226a60
SHA1 a716176ff41859483dce502a76dbe5d0f6961854
SHA256 c00cbde3ad305db237d46608963a7ea9300f52caa95236df92e67a1b96fabdd1
SHA512 16fd60437d6e17528051a1564526fa7f816575b4036862c98831e9b1bd5e9fce57fb71ab17a211de69bf24cf1d03079313e8a84a9d3a143969607c666f28ca4e

C:\Users\Admin\AppData\Roaming\Realtek Sound Blaster\RealtekSb.exe

MD5 22f31f5dee32cb8ac454a216b9226a60
SHA1 a716176ff41859483dce502a76dbe5d0f6961854
SHA256 c00cbde3ad305db237d46608963a7ea9300f52caa95236df92e67a1b96fabdd1
SHA512 16fd60437d6e17528051a1564526fa7f816575b4036862c98831e9b1bd5e9fce57fb71ab17a211de69bf24cf1d03079313e8a84a9d3a143969607c666f28ca4e

memory/1392-102-0x0000000000B60000-0x0000000000B61000-memory.dmp

memory/1392-103-0x0000000000B50000-0x0000000000B51000-memory.dmp

memory/1392-105-0x0000000000B70000-0x0000000000B71000-memory.dmp

memory/1392-104-0x0000000000B80000-0x0000000000B81000-memory.dmp

memory/1392-106-0x0000000000B90000-0x0000000000B91000-memory.dmp

memory/1392-107-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

memory/1392-108-0x0000000000120000-0x00000000007B4000-memory.dmp

C:\ProgramData\152123293896284064185017

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1988-112-0x0000000000270000-0x00000000008F5000-memory.dmp

memory/1988-113-0x0000000000940000-0x0000000000941000-memory.dmp

memory/1988-114-0x0000000000970000-0x0000000000971000-memory.dmp

memory/1988-115-0x0000000000250000-0x0000000000251000-memory.dmp

memory/1988-116-0x0000000000960000-0x0000000000961000-memory.dmp

memory/1988-117-0x0000000000240000-0x0000000000241000-memory.dmp

memory/1988-118-0x0000000000260000-0x0000000000261000-memory.dmp

memory/1988-119-0x0000000000950000-0x0000000000951000-memory.dmp

memory/1988-120-0x0000000000990000-0x0000000000991000-memory.dmp

memory/1988-121-0x0000000000920000-0x0000000000921000-memory.dmp

memory/1988-122-0x0000000000910000-0x0000000000911000-memory.dmp

memory/1988-123-0x0000000000900000-0x0000000000901000-memory.dmp

memory/1988-124-0x00000000009A0000-0x00000000009A1000-memory.dmp

memory/1988-125-0x00000000009B0000-0x00000000009B1000-memory.dmp

memory/864-127-0x0000000000B20000-0x0000000000B21000-memory.dmp

memory/864-126-0x0000000000CB0000-0x000000000164B000-memory.dmp

memory/864-131-0x0000000000B10000-0x0000000000B11000-memory.dmp

memory/864-130-0x00000000004A0000-0x00000000004A1000-memory.dmp

memory/864-129-0x0000000000B40000-0x0000000000B41000-memory.dmp

memory/864-128-0x0000000000B30000-0x0000000000B31000-memory.dmp

memory/864-132-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

memory/864-133-0x0000000000B50000-0x0000000000B51000-memory.dmp

memory/864-135-0x00000000004B0000-0x00000000004B1000-memory.dmp

memory/864-134-0x0000000000B80000-0x0000000000B81000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-03-06 22:12

Reported

2022-03-06 22:14

Platform

win10v2004-en-20220112

Max time kernel

162s

Max time network

168s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a0a99841ac66d40954d49f6f276234a122d0454f9ce7a059c6d471d38f06a05d.exe"

Signatures

Amadey

trojan amadey

Taurus Stealer

trojan stealer taurus

Taurus Stealer Payload

Description Indicator Process Target
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\Software\Permit_17.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\Software\Bid_19.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\97fd00311d\bween.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\97fd00311d\bween.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\Puddle\Arch_40.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\Puddle\Arch_40.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\Software\Permit_17.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\Software\Bid_19.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\Realtek Sound Blaster\RealtekSb.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\Realtek Sound Blaster\RealtekSb.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a0a99841ac66d40954d49f6f276234a122d0454f9ce7a059c6d471d38f06a05d.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Software\Permit_17.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation C:\ProgramData\97fd00311d\bween.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RealtekSb.lnk C:\Users\Admin\AppData\Roaming\Puddle\Arch_40.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Wine C:\Users\Admin\AppData\Roaming\Puddle\Arch_40.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Wine C:\Users\Admin\AppData\Roaming\Software\Permit_17.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Wine C:\Users\Admin\AppData\Roaming\Software\Bid_19.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Wine C:\Users\Admin\AppData\Roaming\Realtek Sound Blaster\RealtekSb.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Software\Wine C:\ProgramData\97fd00311d\bween.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses 2FA software files, possible credential harvesting

spyware stealer

Checks installed software on the system

discovery

Enumerates physical storage devices

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Realtek Sound Blaster\RealtekSb.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3972 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\a0a99841ac66d40954d49f6f276234a122d0454f9ce7a059c6d471d38f06a05d.exe C:\Users\Admin\AppData\Roaming\Puddle\Arch_40.exe
PID 3972 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\a0a99841ac66d40954d49f6f276234a122d0454f9ce7a059c6d471d38f06a05d.exe C:\Users\Admin\AppData\Roaming\Puddle\Arch_40.exe
PID 3972 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Local\Temp\a0a99841ac66d40954d49f6f276234a122d0454f9ce7a059c6d471d38f06a05d.exe C:\Users\Admin\AppData\Roaming\Puddle\Arch_40.exe
PID 3972 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\a0a99841ac66d40954d49f6f276234a122d0454f9ce7a059c6d471d38f06a05d.exe C:\Users\Admin\AppData\Roaming\Software\Permit_17.exe
PID 3972 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\a0a99841ac66d40954d49f6f276234a122d0454f9ce7a059c6d471d38f06a05d.exe C:\Users\Admin\AppData\Roaming\Software\Permit_17.exe
PID 3972 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\a0a99841ac66d40954d49f6f276234a122d0454f9ce7a059c6d471d38f06a05d.exe C:\Users\Admin\AppData\Roaming\Software\Permit_17.exe
PID 3972 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\a0a99841ac66d40954d49f6f276234a122d0454f9ce7a059c6d471d38f06a05d.exe C:\Users\Admin\AppData\Roaming\Software\Bid_19.exe
PID 3972 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\a0a99841ac66d40954d49f6f276234a122d0454f9ce7a059c6d471d38f06a05d.exe C:\Users\Admin\AppData\Roaming\Software\Bid_19.exe
PID 3972 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\a0a99841ac66d40954d49f6f276234a122d0454f9ce7a059c6d471d38f06a05d.exe C:\Users\Admin\AppData\Roaming\Software\Bid_19.exe
PID 2124 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Roaming\Puddle\Arch_40.exe C:\Users\Admin\AppData\Roaming\Realtek Sound Blaster\RealtekSb.exe
PID 2124 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Roaming\Puddle\Arch_40.exe C:\Users\Admin\AppData\Roaming\Realtek Sound Blaster\RealtekSb.exe
PID 2124 wrote to memory of 3732 N/A C:\Users\Admin\AppData\Roaming\Puddle\Arch_40.exe C:\Users\Admin\AppData\Roaming\Realtek Sound Blaster\RealtekSb.exe
PID 2904 wrote to memory of 360 N/A C:\Users\Admin\AppData\Roaming\Software\Permit_17.exe C:\ProgramData\97fd00311d\bween.exe
PID 2904 wrote to memory of 360 N/A C:\Users\Admin\AppData\Roaming\Software\Permit_17.exe C:\ProgramData\97fd00311d\bween.exe
PID 2904 wrote to memory of 360 N/A C:\Users\Admin\AppData\Roaming\Software\Permit_17.exe C:\ProgramData\97fd00311d\bween.exe
PID 360 wrote to memory of 3180 N/A C:\ProgramData\97fd00311d\bween.exe C:\Windows\SysWOW64\cmd.exe
PID 360 wrote to memory of 3180 N/A C:\ProgramData\97fd00311d\bween.exe C:\Windows\SysWOW64\cmd.exe
PID 360 wrote to memory of 3180 N/A C:\ProgramData\97fd00311d\bween.exe C:\Windows\SysWOW64\cmd.exe
PID 3180 wrote to memory of 496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3180 wrote to memory of 496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3180 wrote to memory of 496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a0a99841ac66d40954d49f6f276234a122d0454f9ce7a059c6d471d38f06a05d.exe

"C:\Users\Admin\AppData\Local\Temp\a0a99841ac66d40954d49f6f276234a122d0454f9ce7a059c6d471d38f06a05d.exe"

C:\Users\Admin\AppData\Roaming\Puddle\Arch_40.exe

"C:\Users\Admin\AppData\Roaming\Puddle\Arch_40.exe"

C:\Users\Admin\AppData\Roaming\Software\Permit_17.exe

"C:\Users\Admin\AppData\Roaming\Software\Permit_17.exe"

C:\Users\Admin\AppData\Roaming\Software\Bid_19.exe

"C:\Users\Admin\AppData\Roaming\Software\Bid_19.exe"

C:\Users\Admin\AppData\Roaming\Realtek Sound Blaster\RealtekSb.exe

"C:\Users\Admin\AppData\Roaming\Realtek Sound Blaster\RealtekSb.exe"

C:\ProgramData\97fd00311d\bween.exe

"C:\ProgramData\97fd00311d\bween.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\97fd00311d\

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\ProgramData\97fd00311d\

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 8.8.8.8:53 geo.prod.do.dsp.mp.microsoft.com udp
US 52.184.217.37:443 geo.prod.do.dsp.mp.microsoft.com tcp
US 8.8.8.8:53 kv801.prod.do.dsp.mp.microsoft.com udp
NL 184.29.205.60:443 kv801.prod.do.dsp.mp.microsoft.com tcp
US 8.8.8.8:53 cp801.prod.do.dsp.mp.microsoft.com udp
NL 184.29.205.60:443 cp801.prod.do.dsp.mp.microsoft.com tcp
NL 184.29.205.60:443 cp801.prod.do.dsp.mp.microsoft.com tcp
US 209.197.3.8:80 tcp
NL 185.92.148.230:80 tcp
US 8.8.8.8:53 www.bing.com udp
US 131.253.33.200:443 www.bing.com tcp
RU 217.8.117.207:80 tcp
RU 217.8.117.207:80 tcp
RU 217.8.117.207:80 tcp
NL 185.92.148.230:80 tcp
RU 217.8.117.207:80 tcp
NL 185.92.148.230:80 tcp
NL 185.92.148.230:80 tcp
NL 185.92.148.230:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\nst5F12.tmp\System.dll

MD5 0063d48afe5a0cdc02833145667b6641
SHA1 e7eb614805d183ecb1127c62decb1a6be1b4f7a8
SHA256 ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7
SHA512 71cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0

C:\Users\Admin\AppData\Roaming\Puddle\Arch_40.exe

MD5 22f31f5dee32cb8ac454a216b9226a60
SHA1 a716176ff41859483dce502a76dbe5d0f6961854
SHA256 c00cbde3ad305db237d46608963a7ea9300f52caa95236df92e67a1b96fabdd1
SHA512 16fd60437d6e17528051a1564526fa7f816575b4036862c98831e9b1bd5e9fce57fb71ab17a211de69bf24cf1d03079313e8a84a9d3a143969607c666f28ca4e

C:\Users\Admin\AppData\Roaming\Puddle\Arch_40.exe

MD5 22f31f5dee32cb8ac454a216b9226a60
SHA1 a716176ff41859483dce502a76dbe5d0f6961854
SHA256 c00cbde3ad305db237d46608963a7ea9300f52caa95236df92e67a1b96fabdd1
SHA512 16fd60437d6e17528051a1564526fa7f816575b4036862c98831e9b1bd5e9fce57fb71ab17a211de69bf24cf1d03079313e8a84a9d3a143969607c666f28ca4e

C:\Users\Admin\AppData\Roaming\Software\Permit_17.exe

MD5 77726cbf962c895ed94737fb5d1999cd
SHA1 f69fea46fd0bed8b452cac3923664bca749e78c3
SHA256 f79ace00ab34680537542a53d04135231daed2320e832c5702392f1a69f92e99
SHA512 51072de276ad97d0269e97e0b6296d556a18dd78e39ac51384a2758a03dcb1203bd10eb678905b6a33551e539b43287b89b1b2cd7fdf6e79b2177c9b31af6979

C:\Users\Admin\AppData\Roaming\Software\Permit_17.exe

MD5 77726cbf962c895ed94737fb5d1999cd
SHA1 f69fea46fd0bed8b452cac3923664bca749e78c3
SHA256 f79ace00ab34680537542a53d04135231daed2320e832c5702392f1a69f92e99
SHA512 51072de276ad97d0269e97e0b6296d556a18dd78e39ac51384a2758a03dcb1203bd10eb678905b6a33551e539b43287b89b1b2cd7fdf6e79b2177c9b31af6979

C:\Users\Admin\AppData\Roaming\Software\Bid_19.exe

MD5 4868ef1ed1eeccf63f09c2407c438b2f
SHA1 f40fb4d4506bf9f155e1cc1b0990c65435137a86
SHA256 cbafc5f1a4c6b911fc9e93899a7250f45f99f7af4525bc8541c4ac158b20c010
SHA512 2705bae0ae86ced5684b25fdcba0aec731ba3a9d3fac0ab49563176751d355525c9c5e5e9c082fd77155ec6ac42c8e3e1fc8d6bad418d762b1e19fe0abe4d9a5

C:\Users\Admin\AppData\Roaming\Software\Bid_19.exe

MD5 4868ef1ed1eeccf63f09c2407c438b2f
SHA1 f40fb4d4506bf9f155e1cc1b0990c65435137a86
SHA256 cbafc5f1a4c6b911fc9e93899a7250f45f99f7af4525bc8541c4ac158b20c010
SHA512 2705bae0ae86ced5684b25fdcba0aec731ba3a9d3fac0ab49563176751d355525c9c5e5e9c082fd77155ec6ac42c8e3e1fc8d6bad418d762b1e19fe0abe4d9a5

memory/2124-137-0x0000000077230000-0x00000000773D3000-memory.dmp

memory/2904-138-0x0000000077230000-0x00000000773D3000-memory.dmp

memory/2124-139-0x0000000000EB0000-0x000000000184B000-memory.dmp

memory/312-140-0x0000000077230000-0x00000000773D3000-memory.dmp

memory/2124-142-0x0000000003AC0000-0x0000000003AC1000-memory.dmp

memory/2124-143-0x0000000003AA0000-0x0000000003AA1000-memory.dmp

memory/2124-141-0x0000000003AB0000-0x0000000003AB1000-memory.dmp

memory/2124-144-0x0000000003A70000-0x0000000003A71000-memory.dmp

memory/2124-145-0x0000000003A90000-0x0000000003A91000-memory.dmp

C:\Users\Admin\AppData\Roaming\Realtek Sound Blaster\RealtekSb.exe

MD5 22f31f5dee32cb8ac454a216b9226a60
SHA1 a716176ff41859483dce502a76dbe5d0f6961854
SHA256 c00cbde3ad305db237d46608963a7ea9300f52caa95236df92e67a1b96fabdd1
SHA512 16fd60437d6e17528051a1564526fa7f816575b4036862c98831e9b1bd5e9fce57fb71ab17a211de69bf24cf1d03079313e8a84a9d3a143969607c666f28ca4e

C:\Users\Admin\AppData\Roaming\Realtek Sound Blaster\RealtekSb.exe

MD5 22f31f5dee32cb8ac454a216b9226a60
SHA1 a716176ff41859483dce502a76dbe5d0f6961854
SHA256 c00cbde3ad305db237d46608963a7ea9300f52caa95236df92e67a1b96fabdd1
SHA512 16fd60437d6e17528051a1564526fa7f816575b4036862c98831e9b1bd5e9fce57fb71ab17a211de69bf24cf1d03079313e8a84a9d3a143969607c666f28ca4e

memory/312-148-0x0000000003350000-0x0000000003351000-memory.dmp

memory/312-150-0x0000000003360000-0x0000000003361000-memory.dmp

memory/2904-149-0x0000000001000000-0x0000000001685000-memory.dmp

memory/312-151-0x00000000007C0000-0x0000000000E54000-memory.dmp

memory/2904-152-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

memory/2904-153-0x0000000000FA0000-0x0000000000FA1000-memory.dmp

memory/2904-154-0x0000000000FB0000-0x0000000000FB1000-memory.dmp

memory/2904-156-0x0000000000FD0000-0x0000000000FD1000-memory.dmp

memory/2904-155-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

memory/2904-157-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

memory/2904-158-0x0000000002FE0000-0x0000000002FE1000-memory.dmp

C:\ProgramData\97fd00311d\bween.exe

MD5 77726cbf962c895ed94737fb5d1999cd
SHA1 f69fea46fd0bed8b452cac3923664bca749e78c3
SHA256 f79ace00ab34680537542a53d04135231daed2320e832c5702392f1a69f92e99
SHA512 51072de276ad97d0269e97e0b6296d556a18dd78e39ac51384a2758a03dcb1203bd10eb678905b6a33551e539b43287b89b1b2cd7fdf6e79b2177c9b31af6979

C:\ProgramData\97fd00311d\bween.exe

MD5 77726cbf962c895ed94737fb5d1999cd
SHA1 f69fea46fd0bed8b452cac3923664bca749e78c3
SHA256 f79ace00ab34680537542a53d04135231daed2320e832c5702392f1a69f92e99
SHA512 51072de276ad97d0269e97e0b6296d556a18dd78e39ac51384a2758a03dcb1203bd10eb678905b6a33551e539b43287b89b1b2cd7fdf6e79b2177c9b31af6979

memory/3732-161-0x0000000077230000-0x00000000773D3000-memory.dmp

memory/3732-162-0x0000000000920000-0x00000000012BB000-memory.dmp

memory/3732-163-0x0000000002D90000-0x0000000002D91000-memory.dmp

memory/3732-164-0x0000000003620000-0x0000000003621000-memory.dmp

memory/3732-165-0x0000000002D50000-0x0000000002D51000-memory.dmp

memory/3732-166-0x0000000002D70000-0x0000000002D71000-memory.dmp

memory/3732-167-0x0000000003630000-0x0000000003631000-memory.dmp

memory/3732-168-0x0000000003670000-0x0000000003671000-memory.dmp

memory/3732-169-0x0000000003640000-0x0000000003641000-memory.dmp

memory/3732-170-0x0000000003650000-0x0000000003651000-memory.dmp

memory/360-171-0x0000000077230000-0x00000000773D3000-memory.dmp

C:\ProgramData\152179071449815494214911

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/360-173-0x0000000000250000-0x00000000008D5000-memory.dmp

memory/360-174-0x0000000002E60000-0x0000000002E61000-memory.dmp

memory/360-176-0x0000000002E20000-0x0000000002E21000-memory.dmp

memory/360-175-0x0000000002E70000-0x0000000002E71000-memory.dmp

memory/360-177-0x0000000002E30000-0x0000000002E31000-memory.dmp

memory/360-179-0x0000000002E40000-0x0000000002E41000-memory.dmp

memory/360-178-0x0000000002E50000-0x0000000002E51000-memory.dmp

memory/360-180-0x0000000002E80000-0x0000000002E81000-memory.dmp